Deploying DKIM on Debian and Ubuntu

This guide will demonstrate how to deploy DKIM on Debian-based Linux distributions. Other distributions work similar, except some do not use the scripts in init.d. The configuration of DKIM will be the same. I will discuss HOW to deploy it, not WHY to deploy it as I assume you’ve already decided to do so.

1. Install the package dkim-filter

apt-get install dkim-filter

(to avoid confusion, it’s ‘filter’ with an ‘f’ not as in ‘milter’ as this package is also called. Other distributions might have different names)

2. Create a folder to store your keys. My suggestion would be to create the folder ‘keys’ in /etc/mail/dkim-filter.

3. Inside that folder create another folder for each domain name you would like to send mail for. In this example I’ll use domain1.com and domain2.com, so I create a folder for both in the ‘keys’ folder.

4. Open the folder for your domain (if using multiple, repeat this process for each domain).

cd domain1.com

5. Now generate a keypair for this domain. In the following command you specify the domain name and a unique selector (just make up any name like the current date).

dkim-genkey -s dec2011 -d domain1.com

6. You now have two files, the public key (dec2011.txt) and the private key (domain1.com.private). Rename the private key to the form ‘selector_domain’.

mv domain1.com.private dec2011_domain1.com

7. In the folder ‘keys’ create a key file with the name ‘keyfile. Create a line for each domain, like in this example:

*@domain1.com:domain1.com:/etc/mail/dkim-filter/keys/domain1.com/dec2011_domain1.com
*@domain2.com:domain2.com:/etc/mail/dkim-filter/keys/domain2.com/dec2011_domain2.com

8. By default a username by the name ‘dkim-filter’ has been created for DKIM. If you want to use something different, then create a different user. Make sure it doesn’t have a login by editing /etc/passwd and changing the shell (/bin/sh, /bin/bash) for that user to /bin/false. Now set the ownership to the ‘keys’ folder to that user and the permissions exclusive to that user.

chown -R dkim-filder /etc/mail/dkim-filter/keys && chmod 770 /etc/mail/dkim-filter/keys

9. Store the public key (domain1.com) somewhere else, as you’ll be needing it for the DNS records.

10. We’ll be needing a socket to allow connections to it. So think of a port number higher than 1024 which is not in use on that server (like 8891). Make sure that your mail server can connect to that port, so adjust any firewall rules if neccesary. If it’s running on the same server, then we’ll use the loopback address 127.0.0.1.

11. Edit your /etc/dkim-filter.conf file. In this example I’ll use port 8891 as the socket. My mail server is running on the same server, so I use the loopback addres 127.0.0.1. If any of these rules don’t exist in the file, just create them.

Syslog              Yes  #enable the syslog to report errors
Socket              init:8891@127.0.0.1  #the socket which you'll be using (step 10)
Userid              dkim-filter   #the username which is used by DKIM (step 8)   
KeyList             /etc/mail/dkim-filter/keys/keyfile  #the path to the keyfile  

12. Now we edit the dkim-filter startup file. In most distributions this is the file /etc/init.d/dkim-filter. In here, change USER and GROUP if you changed the DKIM user and group name on the server. Otherwise leave those. Now set SOCKET to the socket you’ve specified in/etc/dkim-filter.conf.

SOCKET=inet:8891@127.0.0.1

13. Save the file, and restart DKIM.

/etc/init.d/dkim-filter restart

If this command doesn’t work, consult your distribution manual about starting services.

14. With the public key for each of the domains, generate a DNS record. You can generate the records from this page. Put each of them in the DNS zone for each domain.

The generator of the above URL does have an issue with the name of the TXT record. You can correct it by using this example:

In the zone for domain1.com, you can specify the TXT record as either of the two:

dec2011._domainkey         IN   TXT    "XXXXXXXXXXXX"
dec2011._domainkey.domain.com.    IN   TXT    "XXXXXXXXXXXX"

Note the dot at the end of the full name with the domain.

At this point DKIM is working. Now you just need to point your mail server to this socket. Consult the documentation of each server. For your convenience, I’ve added the instructions for the popular server sendmail.

Sendmail configuration
Edit your Sendmail configuration file (/etc/mail/linux.cf) and add this line:

INPUT_MAIL_FILTER(`dk-filter', `S=inet:8891@127.0.0.1')dnl

While in the folder which contains the ‘linux.cf’ file, run these commands to compile the configuration:

m4 linux.cf
mv linux.cf /etc/sendmail.cf

Leave a Reply

Your email address will not be published. Required fields are marked *